AEPD - PS/00266/2019

From GDPRhub
AEPD - PS-00266-2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR

Article 83(2)(e) GDPR

Type: Complaint
Outcome: Upheld
Decided: 6.11.2019
Published: n/a
Fine: 1,500 EUR
Parties: Cerrajero Online SL Vs. Consumer Institute of Madrid
National Case Number: PS-00266-2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The AEPD held that an outdated privacy policy on a webpage violates Article 13 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The Consumer Institute of Madrid filed a complaint before the DPA with regard to the company's privacy policy which did not contain accurate information about how the company collects personal data and still refers to older national laws, instead of GDPR.

Dispute[edit | edit source]

Does an non-updated privacy policy infringe Article 13 GDPR?

Shoud the AEPD calculate the fine by taking into account that the company was not previously subject to its decisions?

Holding[edit | edit source]

The AEPD found that maintaining an old privacy policy violated Article 13 of the GDPR. The AEPD took into consideration the fact that the company did not have any previous relevant infringements according to Article 83(2)(e) GDPR for the calculation of the amount of the fine to be imposed. The case was settled over a payment of €1,500.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.






936-150719
Product No.: PS/00266/2019


RESOLUTION R/00574/2019 ON THE TERMINATION OF THE PROCEDURE BY VOLUNTARY PAYMENT

In the sanctioning procedure PS/00266/2019, instructed by the Spanish Data Protection Agency to CERRAJERO ONLINE S.L., having regard to the complaint submitted by INSTITUTO MUNICIPAL DE CONSUMO DE MADRID, and based on the following,

BACKGROUND

FIRST: On 23 October 2019, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against CERRAJERO ONLINE S.L. (hereinafter, the claimed), by means of the Agreement that is transcribed:

<<
Product No.: PS/00266/2019


AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS



Of the actions carried out by the Spanish Data Protection Agency and based on the following


FACTS



FIRST: MADRID MUNICIPAL CONSUMPTION INSTITUTE (hereinafter referred to as
On January 22, 2019, he filed a complaint with the Spanish Data Protection Agency against CERRAJERO ONLINE S.L. with NIF B87298923 (hereinafter, the claimed).


The reasons on which the claim is based are the collection of personal data by the claimed, without providing the precise information to the interested parties in accordance with current regulations on protection of personal data.
 



SECOND: It is verified that in the "Privacy Policy" of the mentioned website, it is indicated:


- That the respondent operates in the website hosted under the domain name www.cerrajeronline.com/".


- That this policy states that "CERRAJERO ONLINE S.L.., as responsible for the file, undertakes to maintain the secrecy and confidentiality of personal data that are provided, adopting all necessary security measures to prevent their loss, modification without consent or unauthorized access, in accordance with the Regulation of Development of the LOPD approved by Royal Decree 1720/2007 of 21 December. Also informs the user that at any time may exercise their rights of access, rectification, cancellation and opposition under Law 15/1999 of 13 December 1999 on the Protection of Personal Data, by notifying CERRAJERO ONLINE SL through the mail info@cerrajeronline.com.


Subsequently, the Subdirectorate General for Data Inspection carried out preliminary investigative actions to clarify the facts in question, by virtue of the investigative powers granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two of Organic Law 3/2018 of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD).


As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one who has been claimed.


Likewise, the following points are noted:


The complainant is informed of this complaint on 25 March 2019, and is requested to send this Agency, within a period of one month, information on the response given to the complainant regarding the reported facts, as well as the causes that have led to the incident and the measures adopted to adapt its
 



"Privacy Policy" to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GPRS)


After the given deadline, no response has been obtained from the respondent.


LEGAL GROUNDS 



I

By virtue of the powers conferred on each supervisory authority by Article 58(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as GDPR), and as set out in Articles 47, 642 and 68.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate this procedure.
Article 63(2) of the LOPDGDD states that: 'The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, in this Organic Law, by the regulatory provisions issued in its implementation and, insofar as they do not contradict them, in the alternative, by the general rules on administrative procedures'.


II
Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as GDPR), under the heading "Definitions", provides that
"For the purposes of this Regulation
personal data' shall mean any information relating to an identified or identifiable natural person ('the data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, localisation data, an online identifier or one or more factors specific to that person's physical, physiological, genetic, mental, economic, cultural or social identity
 



processing' means any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Therefore, in accordance with these definitions, the collection of personal data through forms included on a website constitutes data processing, for which the data controller must comply with the provisions of Article 13 of the RGPD, a provision that has been moved from 25 May 2018 to Article 5 of Organic Law 15/1999 of 13 December on the Protection of Personal Data.
In relation to this matter, it is noted that the Spanish Data Protection Agency has at the disposal of citizens the Guide for the fulfilment of the duty to inform (https://www.aepd.es/media/guias/guia-modelo- clausula-informativa.pdf) and, in the case of low risk data processing, the free tool Facilita (https://www.aepd.es/herramientas/facilita.html).

III
Article 13 of the RGPD, which determines the information to be provided to the data subject at the time of collection of the data, provides that
"1.When personal data are obtained from a data subject, the data controller, at the time when these are obtained, shall provide him with all the information indicated below:
(a) the identity and contact details of the controller and, where appropriate, of his representative
(b) the contact details of the Data Protection Officer, if any;
(c) the purposes of the processing for which the personal data are intended and the legal basis of the processing;
(d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party;
(e) the recipients or categories of recipient of the personal data, if any;
(f) where applicable, the controller's intention to transfer personal data to a third country or international organisation and the existence or absence of a decision by the Commission on adequacy or, in the case of transfers referred to in Article 46 or 47 or in the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and the means to obtain a copy thereof or the fact that they have been provided.
 



2.	In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time when the personal data are collected, with the following information necessary to ensure fair and transparent processing of the data
(a) the period for which the personal data are held or, where this is not possible, the criteria used to determine this period;
(b) the existence of the right to request the controller to have access to the personal data concerning the data subject and to have them corrected, erased or restricted and the right to object to the processing, as well as the right to the portability of the data;
(c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on consent prior to withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the communication of personal data is a legal or contractual requirement, or a requirement for entering into a contract, and whether the data subject is under an obligation to supply the personal data and is informed of the possible consequences of not supplying such data;
(f) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, significant information about the logic involved and the significance and the expected impact of the processing on the data subject.
3.	Where the controller plans to further process personal data for a purpose other than that for which they were collected, he shall provide the data subject, prior to such further processing, with information on that other purpose and with any relevant additional information within the meaning of paragraph 2.
4.	The provisions of paragraphs 1, 2 and 3 shall not apply where and insofar as the information is already available to the data subject.
Article 11 of the LOPDGDD provides as follows
"Where personal data are obtained from the data subject, the controller may fulfil the duty of information laid down in Article 13 of Regulation (EU) 2016/679 by providing the data subject with the basic information referred to in the following paragraph and by indicating an electronic address or other means that allows the remaining information to be accessed easily and immediately.
2. The basic information referred to in the previous paragraph shall contain at least
(a) the identity of the controller and of his representative, in his
case.
 



b) The purpose of the processing.
c) The possibility of exercising the rights set out in Articles 15 to 22 of Regulation (EU) 2016/679.
If the data obtained from the data subject are to be processed for the purpose of profiling, the basic information will also include this circumstance. In this case, the data subject must be informed of his right to object to the adoption of automated individual decisions which produce legal effects on him or significantly affect him in a similar way, where this right exists in accordance with Article 22 of Regulation (EU) 2016/679.
IV
By virtue of the provisions of Article 58.2 of the RGPD, the Spanish Data Protection Agency, as the supervisory authority, has a set of corrective powers in the event of a breach of the precepts of the RGPD.
Article 58.2 of the RGPD provides the following:
"2 Each supervisory authority shall have all the following corrective powers as set out below:
(…)
(b) sanction any controller or processor with a warning where processing operations have infringed the provisions of this Regulation
(...)
"(d) to instruct the controller or processor to ensure that processing operations are carried out in accordance with this Regulation, where appropriate, in a particular manner and within a specified time limit;".
"(i) to impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the individual case;".
Article 83(5)(b) of the GPRS states that
"'Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of not more than EUR 20 000 000 or, in the case of an undertaking, of not more than 4 % of the total annual turnover in the preceding business year, whichever is the greater

(b) the rights of the persons concerned within the meaning of Articles 12 to 22
In turn, Article 74.a) of the LOPDGDD, under the heading "Offences considered minor" provides:
 



"The remaining infringements of a purely formal nature of the articles mentioned in Article 83(4) and (5) of Regulation (EU) 2016/679, and in particular the following, are considered minor and shall be subject to the statute of limitations for one year:
(a) Failure to comply with the principle of transparency of information or the right to information of the person concerned by not providing all the information required by Articles 13 and 14 of Regulation (EU) 2016/679.
In this case, it is taken into account that the claimant collects personal data from users who fill in the form included on the website https://www.cerrajeronline.com/ without providing them, prior to collection, all the information on data protection provided for in Article 13 of the aforementioned RGPD, invoking in its privacy policy a repealed legislation.
In accordance with the evidence available at the present time in agreement to the initiation of the sanctioning procedure, and without prejudice to what may result from the investigation, the facts set out could constitute, on the part of the defendant, an infringement of the provisions of Article 13 of the RGPD.
Likewise, if the existence of an infringement is confirmed, in accordance with the provisions of the aforementioned Article 58.2.d) of the RGPD, the resolution may order the respondent, as the person responsible for the processing, to adapt the information offered to the users whose personal data is collected from them to the requirements set forth in Article 13 of the RGPD, as well as to provide means of proof of compliance with the requirements.

V


In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the RGPD must be observed, which are the provisions that they indicate:


"Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive".


"Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case. In deciding whether to impose an administrative fine and the amount of the fine in each individual case, due account shall be taken of the circumstances of the case:
(a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects concerned and the level of damage they have suffered;
 



(b) whether the infringement was intentional or negligent;
(c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures they have implemented pursuant to Articles 25 and 32;
(e) any previous breach committed by the controller or processor;
(f) the degree of cooperation with the supervisory authority with a view to remedying the breach and mitigating the possible adverse effects of the breach;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the controller or processor notified the infringement;
(i) where the measures referred to in Article 58(2) were previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct pursuant to Article 40 or to certification schemes approved in accordance with Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains obtained or losses avoided, directly or indirectly, through the infringement.

With regard to article 83.2 (k) of the RGPD, the LOPDGDD, article 76, "Sanctions and corrective measures", provides:

"In accordance with the provisions of Article 83(2)(k) of Regulation (EU) 2016/679, the following may also be taken into account

(a) The continuing nature of the infringement.

(b) The link between the activity of the offender and the processing of personal data

(c) The benefits obtained as a result of the commission of the infringement.

(d) the possibility that the conduct of the data subject may have led to the commission of the infringement

(e) the existence of a merger process by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity

(f) The effect on the rights of minors.
 



g) The availability, when it is not compulsory, of a data protection representative.

h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are disputes between them and any interested party.

In accordance with the provisions transcribed above, and without prejudice to the outcome of the proceedings, for the purposes of setting the amount of the fine to be imposed in the present case on the entity claimed to be responsible for an infringement classified in Article 83.5.b) of the RGPD, in an initial assessment, the following mitigating factors are deemed to be present:

- The claimed entity has no previous infractions (83.2 e) RGPD).

- She has not obtained direct benefits (83.2 k) RGPD and 76.2.c) LOPDGDD).

- The Respondent is not considered a large company.

The sanction to be imposed on the respondent should be graduated and set at the amount of 1,500
for the infringement of Article 58.2 of the RGPD.

Therefore, in view of the above,


By the Director of the Spanish Data Protection Agency,


AGREED:

FIRST: START PENALTY PROCEDURE to LOCKMAN ONLINE
S.L. with NIF B87298923, in accordance with the provisions of article 58.2.b) of the RGPD, for the alleged infringement of article 13 of the RGPD, typified in article 83.5.b) of the RGPD
SECOND: To appoint R.R.R. as Instructor and S.S.S. as Secretary, indicating that either of them may be challenged, if appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015, of 1 October, on the Legal System of the Public Sector (LRJSP).
THIRD: TO INCORPORATE into the sanctioning file, for evidential purposes, the claim filed by the claimant and the documents obtained and generated by the Subdirectorate General of Data Inspection in relation to said claim; all of them are part of the file.

FOURTH: THAT for the purposes set forth in article 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, the
 



1,500 (one thousand five hundred euros), without prejudice to the results of the investigation.


FIFTH: TO NOTIFY the present agreement to CERRAJERO ONLINE S.L. with NIF B87298923, giving it a period of ten working days to formulate the allegations and present the evidence it considers appropriate. In your pleading you must provide your NIF and the procedure number in the heading of this document.


If within the stipulated period you do not make any allegations to this agreement to initiate, it may be considered a proposal for resolution, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).


In accordance with the provisions of Article 85 of the LPACAP, if the penalty to be imposed is a fine, it may acknowledge its responsibility within the period granted for the formulation of arguments to the present agreement of initiation; this will be accompanied by a reduction of 20% of the penalty to be imposed in the present procedure. With the application of this reduction, the penalty would be set at EUR 1 200, and the proceedings would be resolved with the imposition of this penalty.


Similarly, at any time prior to the resolution of the present procedure, it may carry out the voluntary payment of the proposed penalty, which will entail a reduction of 20% of its amount. With the application of this reduction, the sanction would be established at 1200 euros and its payment would imply the termination of the procedure.


The reduction for the voluntary payment of the penalty can be cumulated with that for the recognition of liability, provided that this recognition of liability is shown within the time allowed for making representations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the decision. In this case, if both reductions are to be applied, the amount of the penalty shall be set at EUR 900.
 



In any case, the effectiveness of either of the two above-mentioned reductions shall be conditional upon the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction.


In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above, 1200 or 900 euros, you must make it effective by paying it into account number ES00 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at the CAIXABANK, S.A. Bank, indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of the reduction of the amount that you are using.


Likewise, you must send the proof of payment to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid.


The procedure shall have a maximum duration of nine months as of the date of the starting agreement or, where appropriate, of the draft starting agreement. Once this period has elapsed, it will expire and, consequently, the proceedings will be closed; in accordance with the provisions of article 64 of the LOPDGDD.


Finally, it is noted that in accordance with Article 112.1 of the LPACAP, there is no administrative appeal against this act.




Mar Spain Martí

Director of the Spanish Data Protection Agency

>>

SECOND: On 5 November 2019, the claimant has proceeded to pay the penalty in the amount of 900 euros making use of the two reductions provided for in the Agreement transcribed above, which implies the recognition of liability.
THIRD: The payment made, within the period granted for making allegations to the opening of the procedure, implies the waiver of any action or appeal in
 



administrative action against the sanction and the acknowledgement of responsibility in relation to the facts referred to in the Initiation Agreement.

LEGAL GROUNDS

I

By virtue of the powers that Article 58.2 of the RGPD grants to each control authority, and as established in Article 47 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to sanction any infringements committed against those Regulations; infringements of Article 48 of Law 9/2014, of May 9, General Telecommunications Law (hereinafter LGT), in accordance with the provisions of Article 84.3 of the GLT, and the infringements defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002 of 11 July on information society services and electronic commerce (hereinafter referred to as the ISESA), as provided for in Article
43.1 of the said Act.

II

Article 85 of Law 39/2015 of 1 October 1995 on the Common Administrative Procedure for Public Administrations (LPACAP), under the heading 'Termination in penalty proceedings', provides as follows
"1. If a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be terminated with the imposition of the appropriate sanction.
2.	When the penalty is only pecuniary in nature or when it is possible to impose a pecuniary penalty and a non-pecuniary penalty but the latter has been justified, voluntary payment by the alleged offender, at any time prior to the decision, shall entail the termination of the proceedings, except as regards the reinstatement of the altered situation or the determination of compensation for damages caused by the commission of the offence.
3.	In both cases, where the penalty is purely financial in nature, the body responsible for deciding the procedure shall apply reductions of at least 20 % to the amount of the penalty proposed, which may be cumulative. Such reductions shall be determined in the notification of initiation of the procedure and their effectiveness shall be conditional upon the withdrawal or waiver of any administrative action or appeal against the penalty.
The percentage of reduction provided for in this paragraph may be increased by regulation.
 



In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO DECLARE the termination of procedure PS/00266/2019, in accordance with the provisions of Article 85 of the LPACAP

SECOND: TO NOTIFY the present resolution to CERRAJERO ONLINE S.L.

In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative proceedings as provided by article 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, the interested parties may file a contentious-administrative appeal with the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in Article 46.1 of the aforementioned Act.

Mar Spain Martí
Director of the Spanish Data Protection Agency